The Simplified
E-⁠Discovery Case Law Library
A collection of simple, easy to understand analyses and resources on e-⁠discovery case law.
library rooms home
Recent Case LawNew Data TypesProportionalityReasonableness all cases
Case shelved under Reasonableness

Hacking of Servers Doesn’t Warrant Spoliation Sanctions

Masterobjects v. Amazon.com Inc.
N.D. Ca. March 13, 2022
Why This Case Is Important

What are reasonable steps to preserve potentially relevant data under the FRCP? In this case, the court ruled that a data breach didn’t warrant spoliation sanctions—even if data was lost—if reasonable data security measures were taken.

Overview

In this case, the defendant contended that a variety of discovery violations were committed by the plaintiff, including but not limited to (1) not obeying a court issued discovery order and (2) potential spoliation.

At the start of discovery, the magistrate judge ordered the plaintiff to produce data from related litigation in response to the defendant’s production requests. While the plaintiff did produce some requested data, the failed to meet the production deadline from the court.

Additionally, the defendant argued that the plaintiff still had not produced responsive documents in their control. At the court hearing, the plaintiff conceded that they “ had made no effort to produce documents” held by counsel from a related matter.

Regarding the alleged spoliation, the plaintiff’s database had been hacked and potentially relevant data may have been lost.

Ruling
  • Sanctions Granted and Dismissed. The court rejected the defendant’s motion for alleged spoliation but granted the defendant’s motion for violating the discovery order.
  • Violation of Discovery Order. Because the plaintiff didn’t meet the discovery order deadline and not all requested data within the order was produced, the court ordered the plaintiff to “perform a complete search of its own files AND all documents in its custody and control.”
  • Alleged Spoliation. The fact that the plaintiff’s database was hacked did not meet the standard to show that the plaintiff “did not take reasonable steps” to preserve relevant data. The court stated that the plaintiff “protected its servers to the best level achievable at the time and employed knowledgeable consultants to assist in that effort.” On top of that, the defendant did not prove that relevant evidence was spoliated by the hack.


Download Case Law PDF

Download the PDF version of this case law alert here.

Legal Analysis
On Masterobjects v. Amazon.com Inc.
Nancy Patton, Esq., CEDS Senior Director, Solution Consulting, Exterro
BY
Nancy Patton, Esq., CEDS Senior Director, Solution Consulting, Exterro

Inevitably, the worlds of data breach and data preservation are bound to intersect. In this case, spoliation sanctions were not warranted when the data loss was due to data breach, based on how the party protected its systems (but read the fine print). Interesting, the court also states that the defendant did not prove that relevant evidence was spoliated by the hack. When a data breach occurs, what the court considers in spoliation analysis may be different than when spoliation occurs in more traditional ways.

Nancy Patton's Bio
relevant resource
Case Law Tip: Have questions on how the FRCP applies to e-discovery? Download this FRCP E-Discovery Quick Guide to get all your questions answered.
Read
FRCP & E-DISCOVERY: The Layman's Guide PDF
FRCP & E-DISCOVERY: The Layman's Guide PDF
download now
return to case law library
Reasonableness room